ABS to keep Census identity data on file for far less time

The Australian Bureau of Statistics will reduce the length of time that names and addresses collected as part of the Census are retained after an independent privacy impact assessment recommended it do so.

The agency responsible for Australia’s largest peacetime operation has agreed to shorten the data retention period for names and addresses from four years to two and three years, respectively.

It modifies a decision made prior to the now infamous 2016 Census to collect names and addresses, which was immediately contentious and led to concerns it would impede the usefulness of collected data.

The 2021 Census PIA, conducted by Galaxia and released [pdf] on Tuesday, recommended the ABS “significantly reduce” the data retention period for names” to 18 months.

It said that as the Census is only conducted every five years, there is a risk that holding names for four years amounts to "a de-facto permanent retention of identifying data, forming a significant national dataset that is held almost indefinitely.”

“The long-term retention of names presents an unacceptable level of privacy and security risk for the Census, and may undermine other privacy measures,” the report said, noting that “activities that require names are generally completed shortly after data … is processed for publication”.

In its response [pdf], the ABS said it now “intends to delete names after 18 months” where possible, though may keep them for a further six months where there are “technical or operational complications” in several use cases.

These use cases are “Census coding and processing … and the Post Enumeration Survey, linking to the ABS Person Linkage Spine (e.g from MADIP [the Multi-Agency Data Integration Project], and the Indigenous Mortality Project).

While not as demanding as it was with names, the PIA also recommended that the retention of addresses fall to “a period of 24-36 months”. The ABS has agreed to retain addresses for 36 months.

The 2021 Census PIA, which is one of two PIA’s [pdf] commissioned at the recommendation of inquiries conducted in the aftermath of the 2016 Census, also recommends that independent security risk assessments also be conducted for key components.

Given that the former online portal was knocked out by a series of DDoS attacks, this includes a “specific assessment of the cloud platform”, noting that “this may be covered by existing security certifications”.

Big four consulting firm PwC has already been selected to build and operate the online platform for the 2021 Census on Amazon Web Services, with all data to be hosted in Australia.

In response, the ABS agreed and said “Information Security Risk Program (IRAP) assessments will be undertaken for all Census and ABS supporting systems by an Australia Signals Directorate accredited IRAP assessor”.

The ABS also said other “ABS security assessments of Census deployments on top of these cloud services, while stressing that the AWS platform was accredited by the Australian Cyber Security Centre.

Other Census systems to be covered by the IRAP assessment will include the proposed MyWork App, which will allow field officers to communicate with Census management using either a smartphone or tablet.

The PIA also calls on the ABS to “clarify the relationship between Census data and the proposed Data Availability and Transparency (DATA) Framework”, which it has agreed to do once the proposed legislation is finalised.

It similarly wants the ABS to “Seek an exemption for the DATA Framework for the Time Capsule”, which is where personally-identified information is held for 99 years if a Census responds has agreed.

The only recommendation that was rejected by the ABS related to the removal of “new health data collected in the 2021 Census from data submitted to the Time Capsule”.

The PIA said despite the 99 year delay on the release of information from the Time Capsule, including such information, which is released as raw/identified data, is “high risk” and “could have a potential impact on individuals”.

The PIA also offers a number of structural recommendations such as developing a longer term Census Privacy Strategy and developing a principles based approach to name encoding for data linkage and managing re-identification risk, which the ABS has agreed to.

But the ABS rejected this as the inclusion of the data is voluntary and requires that “each person agree to their name, address and other information being kept by the National Archives of Australia and then made publicly available after 99 years”.

ABS’ Census division general manager Chris Libreri said the ABS welcomed the findings of both PIA’s and was now working to address the recommendations. 

“Protecting people’s privacy is a key priority for us,” he said. 

“The ABS has been using a privacy-by-design approach from the beginning of this Census. This approach considers privacy in all aspects of Census planning and processes. 

“Combined with legislation, strong risk management, governance and security strategies, we are ensuring that people’s privacy is considered at every stage of our preparations.

“We will do a separate privacy impact assessment for any other specific Census activities that require it and continue to consult widely as we move towards 2021.”